![(Updated) Entra ID: Upcoming changes to support passkey profiles in the authentication methods policy (preview) [MC1097225]](https://mwpro.co.uk/wp-content/uploads/2024/08/pexels-pixabay-208821-1024x683.webp "(Updated) Entra ID: Upcoming changes to support passkey profiles in the authentication methods policy (preview) [MC1097225] 1")
Updated October 20, 2025: We have updated the rollout timelines and content below. Thank you for your patience.
In November 2025, we will expand the passkey (FIDO2) authentication methods policy in Microsoft Entra ID to support passkey profiles in public preview. This update will enable granular, group-based control over passkey configurations and introduce new API schema changes.
[When this will happen:]
Public Preview (Worldwide): We will begin rolling out early November 2025 and expect to complete by early December 2025.
Public Preview (GCC, GCC High, DoD): We will begin rolling out mid-November 2025 and expect to complete by mid-December 2025.
[How this will affect your organization:]
After this rollout, you’ll be able to apply different passkey configurations per user group. For example, you will be able to:
- Allow the use of specific FIDO2 security key models for user group A
- Allow the use of passkeys in Microsoft Authenticator for user group B
Important: If your organization opts-in to the new admin UX and modifies the Default passkey profile, the new schema will take effect. If you continue using Graph API or third-party tools to modify the policy, the schema will not change until General Availability.
These new settings will be available at Microsoft 365 admin center > Home > Security > Authentication methods > Passkey (FIDO2) settings:
As part of this update in November 2025, if Enforce attestation is disabled, we will start accepting security key or passkey providers using the following attestation statements:
- “none”
- “tpm”
- “packed” (AttCA type only)
- Custom attestation formats ≤ 32 characters
This will allow a wider range of security keys and passkey providers to be accepted for registration and authentication in Microsoft Entra ID. To compare this upcoming update with the current behavior, refer to Microsoft Entra ID attestation for FIDO2 security key vendors
[What you need to do to prepare:]
This rollout will happen automatically by the specified dates with no admin action required before the rollout. You may want to review your current passkey configuration, notify your admins about this change, and update internal documentation.
Learn more about passkeys in Microsoft Entra ID: Enable passkeys for your organization – Microsoft Entra ID | Microsoft Learn (will be updated before rollout)
Source: Microsoft
<<< [MC1097225] Archive
Tooltip: View earlier revisions of this post
Latest Posts
- Microsoft SharePoint: Retirement of IDCRL authentication protocol and enforcement of OpenID Connect and OAuth protocols [MC1184649]
- Viva Engage: Update storyline cover photos in Teams for iOS [MC1184648]
- Microsoft 365 Copilot: Configure connected agents for Researcher and other agents [MC1184654]
- Microsoft Teams: In-app survey feedback policies will be managed by default with Microsoft 365 Cloud Policy [MC1184651]
![Power Pages – Power Pages version 9.7.9.x Pre-Production Release [MC1176188]](https://mwpro.co.uk/wp-content/uploads/2025/06/giraffe-5767909_1920-96x96.webp "Power Pages - Power Pages version 9.7.9.x Pre-Production Release [MC1176188] 8")